>>HTTPS is a high-value target so one may expect clever attacks e.g.
https://news.netcraft.com/archives/2016/03/17/95-of-https-servers-vulnerable-to-trivial-mitm-attacks.html . Dunno how much has changed in the year since that article.
>
>Looked at the NatWest site mentioned in the article. They are using 'Upgrade-Insecure-Requests' in the header which, I think, is similar to 'Strict-Transport-Security' except maybe only applies on a page by page basis ?
I have no idea. The article is a year old, there's a good chance someone at that bank has seen it and responded.
Regards. Al
"Violence is the last refuge of the incompetent." -- Isaac Asimov
"Never let your sense of morals prevent you from doing what is right." -- Isaac Asimov
Neither a despot, nor a doormat, be
Every app wants to be a database app when it grows up